feat(tazjin/nixos): issue wildcard cert for yggdrasil services
Issue a wildcard certificate using the Yandex Cloud DNS plugin (which is where DNS for tazj.in is hosted). Change-Id: I44fa48add660f4f4324ec4b056a81d78c45ff4f4 Reviewed-on: https://cl.tvl.fyi/c/depot/+/12481 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
This commit is contained in:
parent
e5edb3b192
commit
adf8a7da87
3 changed files with 18 additions and 2 deletions
|
@ -72,8 +72,22 @@ in
|
|||
|
||||
time.timeZone = "UTC";
|
||||
|
||||
security.acme.acceptTerms = true;
|
||||
security.acme.defaults.email = lib.mkForce "acme@tazj.in";
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults.email = lib.mkForce "acme@tazj.in";
|
||||
|
||||
# wildcard cert for usage with Yggdrasil services
|
||||
certs."y.tazj.in" = {
|
||||
dnsProvider = "yandexcloud";
|
||||
credentialFiles.YANDEX_CLOUD_IAM_TOKEN_FILE = "/run/agenix/lego-yandex";
|
||||
extraDomainNames = [ "*.y.tazj.in" ];
|
||||
|
||||
# folder tvl/tazjin-private/default
|
||||
environmentFile = builtins.toFile "lego-yandex-env" ''
|
||||
YANDEX_CLOUD_FOLDER_ID=b1gq41rsbggeum4qafnh
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
programs.fish.enable = true;
|
||||
|
||||
|
@ -89,6 +103,7 @@ in
|
|||
secretFile = name: depot.users.tazjin.secrets."${name}.age";
|
||||
in
|
||||
{
|
||||
lego-yandex.file = secretFile "lego-yandex";
|
||||
tgsa-yandex.file = secretFile "tgsa-yandex";
|
||||
};
|
||||
|
||||
|
|
BIN
users/tazjin/secrets/lego-yandex.age
Normal file
BIN
users/tazjin/secrets/lego-yandex.age
Normal file
Binary file not shown.
|
@ -13,4 +13,5 @@ in
|
|||
"geesefs-tazjins-files.age".publicKeys = allKeys;
|
||||
"miniflux.age".publicKeys = allKeys;
|
||||
"tgsa-yandex.age".publicKeys = allKeys;
|
||||
"lego-yandex.age".publicKeys = allKeys;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue